On two launches, sensors have shut off engines in flight for safety

Below:

Discovery sits on pad 39B of the Kennedy Space Center, one day after its mission was scrubbed. NASA delayed the mission because of a faulty reading from one of four fuel sensors located at the bottom and inside the external fuel tank.

When a low-level sensor in Discovery’s propellant tank malfunctioned during Wednesday’s countdown, mission commander Eileen Collins must have had that “déjà vu” feeling. And she would have had no objection to calling off the launch — because the proper functioning of exactly such a sensor may have saved her spaceship, even her life, on her previous launch in 1999.

The sensors exist to warn the shuttle's guidance computers of an imminent exhaustion of either of the spaceship's two propellants, liquid oxygen and liquid hydrogen. Although normally the spaceship's main engines are shut down based on reaching a preset velocity, designers knew that unusual conditions might lead to running out of one or the other tank contents before that desired end condition is met.

In such a case, the high-speed engine turbopumps would be sucking gas instead of denser liquid and could overspeed and disintegrate within seconds. Or the mixture ratio of the two propellants would be thrown wildly out of kilter, resulting in an explosive situation that could destroy one or more of the engines.

In the worst case, such an engine fire or explosion could damage other hardware in the shuttle’s tail. Loss of the auxiliary maneuvering pods, or of the aerodynamic flaps in that area, would almost certainly doom the crew.

Exactly such an outcome was safely avoided in July 1999 when Collins was in command on shuttle Columbia. This was the STS-93 mission that was to deploy the Chandra X-Ray Telescope and its booster rocket into space.

The malfunctions that led to the shutdown were frighteningly familiar in light of other shuttle catastrophes. For Challenger in 1986 and Columbia in 2003, a chain of unlikely events cascaded without interruption toward disaster. But in July 1999, another potentially lethal failure cascade was stymied by the proper functioning of the low-level sensors.

Sensor saves the dayJust at engine ignition, a pin tore loose from inside one of Columbia’s engines, and as it flew out the back end, it dinged the engine nozzle. Liquid hydrogen is circulated through about a thousand small lines inside the nozzle to cool the metal wall against the combustion temperatures and to heat the hydrogen for more efficient burning.

Several of those lines were punctured by the falling pin, and some hydrogen began spewing out. It ignited, and in video taken during liftoff it was seen as a flame protruding from the inner wall of the nozzle. The rate of leakage was not too high, but the engine controller noticed a slight loss of power and tweaked up the flow of oxygen into the engine to compensate. This worked, but increased the consumption rate of the oxygen.

Nevertheless, the reserve supply of oxygen that had been loaded just in case of unusual situations was actually almost enough to make it all the way to the normal cutoff point.

But only seconds before reaching that point, sensors in Columbia’s oxygen tank went “dry,” indicating exhaustion of the supply. First one, and then another of the four sensors signaled “dry” — and the rule is to require two votes to persuade the computer the signal is genuine. At that point, emergency engine shutdown was ordered, and all three engines stopped firing.

It was just 0.15 seconds prior to the nominal shutdown. Since the shuttle was accelerating at 3 G's, three times the force of gravity (32.2 feet/second/second), it was still picking up speed at a rate of about 100 feet per second every second. In terms of the orbit it was aiming for, it was raising the far end of its circular earth-girdling path by about 60 miles every second.

So if the shutdown had been ordered only a second earlier in the 520-second climb into space — if the hydrogen leak had been a fraction of a percent faster — Columbia would have fallen short of a stable, safe orbit. It would have had to immediately head back to Earth for an emergency landing in West Africa.

In postflight analysis, space engineers discovered that the actual oxygen load was also a bit lower than they had intended, but within what they had thought were adequately tight margins. Combined with the independent leak, these two separate occurrences came within one second of triggering an extremely hazardous emergency landing.

Such a “Trans-Atlantic Abort Landing” (or “TAL”) had never been performed before, and it would have put high stress on the shuttle's heat shield and on its crew. It probably would have worked — the crew was fully trained for attempting it — but would have been extraordinarily dangerous.

On the actual flight in July 1999, the velocity shortfall was only about 12 feet/second (about 8 mph out of the required 18,000 mph for stable orbital flight), which translated into being perhaps eight miles low. The Chandra telescope's booster rocket had plenty of extra power to make up for this, and the mission proceeded normally.

The underspeed was hardly noticed, because another far more serious failure on the launch had brought the crew much closer to loss of vehicle and crew. Two separate short circuits in wires connecting main engine control computers threatened to shut off one — or more — of the engines early in the flight, throwing the mission into an abort mode without any airfield in range. The crew would have had to bail out in the final moments of their descent toward the ocean.

More than once — but when?A different flavor of low-level sensor failure might also be able to send an ascending shuttle into a similar emergency descent. If two of the sensors failed “dry” even while there was propellant remaining, the engine control computers could be misled into declaring a nonexistent “low level” situation.

To protect against this, shuttle computers ignore the low-level sensors until the clock is within 10 seconds of the expected normal shutdown. But if two sensors have broken in the same way, and alert operators in Mission Control in Houston haven't noticed this in time to disarm them, the main engines could then shut down erroneously, 10 seconds and about 700 mph short of a safe orbit. An emergency return to Earth — perhaps over the ocean, or just perhaps within range of an emergency landing field — would then be inevitable.

This 1999 experience and these dramatic possibilities underscore the criticality of launching only with fully functioning low-level sensors. And apparently Collins' most recent flight wasn't the only time this has happened.

In response to a query from MSNBC.com, NASA Johnson Space Center spokesman Pat Ryan e-mailed that experts told him it had happened once before. "There have been two low level cutoffs in the history of the program, both of them for real, out of gas situations," he e-mailed. "In other words [this was] when the sensors operated properly."

"I don't believe there has ever been an in flight failure of [low-level] sensor at all," he added, and other sources have confirmed this.

However, as of this writing, officials and private sources have not been able to identify the other case of an early engine shutdown commanded by the sensors. "I know we have had a [low-level] cut off on at least a couple of flights, including one of mine," an astronaut e-mailed MSNBC.com while requesting that his or her name not be used. "One of my flights, I think, had [engine cutoff] due to low fuel." But Internet-accessible files have provided no confirmation of this.

So although the documentation difficulties have frustrated press inquiries into the full history of this failure mode, the big picture is clear.

Collins and her crew, and everybody else watching this flight, can be relieved that they didn't wind up making a new entry into the small — but non-zero — history of low-level sensor mission anomalies.

The 12 orbiting astronauts on the International Space Station were hailed by the chief on Thursday — and also got a humorous scolding for keeping their android crewmate locked up in its packing for so long.